TTP in cybersecurity
Tactics, Techniques, and Procedures describe the behaviors, methods, and tools used by threat actors when carrying out cyberattacks, providing valuable context for understanding how attackers operate and improving defenses.
TTP stands for Tactics, Techniques, and Procedures, and is used in cybersecurity to describe the behaviors, methods, and tools used by threat actors in carrying out cyberattacks.
TTPs provide valuable context for understanding how attackers operate and can be used to improve defense strategies.
Tactics
Tactics refer to the high-level goals or objectives of a threat actor. They are broad descriptions of why a particular action is performed. For example, a tactic might be to gain initial access to a network, escalate privileges, or exfiltrate data.
Techniques
Techniques are the specific methods used to achieve the goals described by the tactics. They provide a more detailed view of how a threat actor accomplishes their objectives. For instance, spear-phishing emails is a technique used to achieve the tactic of initial access.
Procedures
Procedures are the specific implementations of techniques. They are the most detailed level and describe exactly how a threat actor carries out their activities. Procedures can include the specific malware used, the particular vulnerabilities exploited, or the exact commands executed.
TTPs are a core component of many cybersecurity frameworks, including the widely used MITRE ATT&CK framework. By understanding TTPs, organizations can better predict and prevent cyberattacks, as well as improve their response to incidents.
